Jesper's Blog

Does your AMD-based computer boot after installing XP SP3?

2008-05-08T16:29:00Z

Updates

Updated May 8 to add information on a second issue.
Updated May 9 to add information on possible additional issues as well as instructions for using the recovery console.
Updated May 10 with some clarifications, a possible video driver problem causing other STOP errors, and an additional work-around for the ASUS motherboard.
Updated May 11 with a pointer to a Microsoft article on removing SP3, and added some information on a possible version for the faulting ATI Catalyst driver.

The Problem

Last night WSUS deployed XP Service Pack 3 (SP3) to the sole remaining computer running XP that I have. This morning, I came down and was greeted with incessant reboots. The computer booted, apologized for not being able to boot properly, asked if I wanted to boot into safe mode, defaulted to normal boot, rebooted, and so on and so on. At this point, I want to clarify that the endless rebooting is not at all related to SP3 per se. The problem is that with some configurations, SP3 causes the computer to crash during boot, and Windows XP, by default, is set up to automatically reboot when it crashes. That is why you end up in the endless rebooting scenario.

There are many possible reasons why a computer may crash at boot time. SP3 seems to introduce two that are related to AMD-based computers, and, possibly, one or two more that appear to affect Intel-based computers. Which one it is impacts which work-around you use. At this point, the information is still trickling in. If you have a crash on boot problem that does not match what I describe below, and it happened as soon as you installed SP3, I'm sure others would like to know as well, including as much detail as you can give us.

First problem, affecting AMD-based computers with OEM images

In my case, the computer would boot into safe mode fine, so I did that. Not knowing what it was, I ran a disk check, which turned out to be a real mistake. Once I configured the computer to run a disk check at startup it would not even boot into safe mode.

Fortunately, I know Bill Castner, another Microsoft MVP, and he pointed me to a solution. It turns out that this computer is running an OEM OS image from HP. If you have an HP computer with a part number that ends with a 'z' you have an AMD-based computer. Other manufacturers have also shipped AMD-based computers, but it is unclear whether they have built their images the same way HP did.

The problem is that HP, and possibly other OEMs, deploy the same image to Intel-based desktops that they do to AMD-based desktops. It also appears that this is unique to their desktop image, and any HP AMD-based laptops are unaffected by the problem. Because the image for both Intel and AMD is the same all have the intelppm.sys driver installed and running. That driver provides power management on Intel-based computers. On an AMD-based computer, amdk8.sys provides the same functionality. Microsoft points out in a Knowledge Base article that installing both drivers on the same computer is an unsupported configuration, putting the blame on the OEM that deploys the image. The article in question was written when the same problem occurred after installing Service Pack 2 for Windows XP.

Ordinarily, having intelppm.sys running on an AMD-based computer appears to cause no problems. However, on the first reboot after a service pack installation, it causes a big problem. The computer either fails to boot, as in my case, or crashes with a STOP error code of 0x0000007e. If you see that error code you almost certainly have this problem. The computer will boot into safe mode because the drivers are disabled there. Please note here that simply having the intelppm.sys file on your computer is not the problem so searching for it in the Windows directory is not relevant. It must be running to cause a problem.

You may not see the error code because the computer reboots too fast. To force the computer to stop when it crashes, you need to set an option during startup. To do so, hit the F8 key during restart right when you see the black Windows XP screen come up. Then select the "Disable automatic restart on system failure" option, as shown below:

To fix the problem, boot into safe mode, or boot to a WinPE disk, or into the recovery console, and disable the intelppm.sys driver.

WARNING: Do NOT under any circumstance disable the intelppm driver on an Intel-based computer. It will make your computer not boot! If your computer will not boot because you disabled the intelppm driver on an Intel-based computer, follow the directions in the Recovery Console section below.

If you have an AMD-based computer, however, you do not need the intelppm driver and can disable it. Boot into Safe Mode by hitting the F8 key as above, but select Safe Mode instead. You will need your Administrator account to log on in safe mode. To disable the driver, take the following steps:

If you booted into the recovery console, from a command prompt, run "disable intelppm"

If you booted into safe mode you can run "sc config intelppm start= disabled"

If you booted into WinPE, you have to manually edit the registry. Do this:

Run regedit
Click on HKEY_LOCAL_MACHINE
From the File menu, select "Load hive"
Navigate to %systemdriver%\Windows\System32\Config on the dead system and select the file name System
Name it something you can remember, such as "horked"
Navigate to horked\ControlSet001\Services\IntelPPM
Double click the Start value and set it to 4
If you did what I did and completely destroyed things by running a disk check, navigate to ControlSet001\Control\SessionManager. Open the BootExecute value and clear out the autochk entries
Repeat steps 6-8 for the other control sets.
Reboot

If this was your problem, the computer should now reboot just fine.

Second problem, affecting certain AMD motherboards

The second problem type manifests itself in a different error code during boot, and also seems to affect only AMD-based computers. The error code will say something similar to:

Problem was detected and windows has been shut down to protect your computer from damage.

The BIOS in this system is not fully ACPI compliant

You will then get some information about how to update your BIOS. The BIOS is the basic operating system built into the computer that handles reading and writing from disk and memory, as well as some other devices. That is most likely not your problem. The screen ends with the tell-tale error code: STOP: 0x000000A5. If you have that error code, and you just installed SP3, this is most likely your problem.

At the moment, I do not know for sure why this is happening, and I have not personally seen it. The people that have seen it seem to all have custom built AMD computers. Possibly, it is related to computers with the ASUS A8N32-SLI Deluxe motherboard, and possibly some others too, in them. Several different AMD processors have been fitted on that board, however, so it seems more likely to be the board than the processor.

The solution is simplicity itself: insert a USB flash drive, or some other form of secondary storage mechanism, before booting the computer. The people have that have seen this problem report that it goes away when they do. The catch is that the computer will only boot with a secondary drive attached. If you remove the secondary drive it will no longer boot.

It also appears that this could be related to using a USB mouse. If you have a USB mouse, try moving it to the PS/2 port instead (the little round port, you should have received an adapter with your mouse). That seems to resolve the problme without the use of an external USB flash drive.

If you have this problem, and either solution helps, or even if they do not help, I'd appreciate a comment on the blog so we can figure out what is going on here.

Other STOP Errors

Every time a service pack is installed, or any major maintenance like it is performed, a certain, very small, number of computers seem to not come back up. The reasons could range from malware on them that is conflicting with the installation or the new files, to bad hardware that somehow failed at that very moment.

For that reason, there may be other STOP errors involved in this problem. Due to the default settings in XP, all of them would result in an endless reboot cycle. Only if there are many of them does it usually indicate a problem with the service pack. A fair number of people are reporting an error code 0x00000024. It usually means either that the file system driver, ntfs.sys, has been corrupted, or you have a hard disk with bad blocks in bad places. It could be totally unrelated to the service pack. At this point, I just do not have enough details to tell. This one seems to be more related to Intel-based computers though.

It is also possible that 0x00000024 has to do with a faulty video driver. I have seen a couple of reports of crashes caused by the ATI Catalyst 8.4 drivers, and one of a crash involving an nVidia driver of some kind, but I do not know which one. To see if that is your problem, try booting into Safe Mode or VGA mode. If VGA mode works you very likely have a video driver issue. Gary Barclay, in a comment below, pointed out that the 8.432 version of the driver may be the one that is faulting, and that version 8.467 appears to work properly. If anyone else can confirm that I'm sure may others will be happy about it.

If you are getting the 0x00000024 error, there are a couple of things to try:

There is some good information in the Microsoft knowledge base on how to trouble-shoot STOP errors. Try following that.
If you have multiple drives in the computer, disconnect them one by one and try booting. The problem may not be on your primary drive and this could let you isolate which one has the problem.
Run chkdsk /r. The problem could be file system related, and chkdsk could fix it. However, to do that you have to boot the computer successfully. If you have a 0x00000024 error, it will not boot even into safe mode. You will need to follow the instructions in the Recovery Console or WinPE sections below to boot the computer.
Replace the ntfs.sys driver. If the driver file itself has become corrupted there is a backup copy in the %windir%\system32\dllcache folder. If nothing else helps, you could try replacing the version in %windir%\system32\drivers folder with the one from dllcache and see if maybe it was a corrupted file problem.
If you have an ATI or nVidia driver for for your graphics card, notably the ATI Catalyst 8.4, and your computer will not boot, try booting into VGA mode and see if that works. If it does, you almost certainly have a video driver problem. Uninstall the driver and see if Windows will find a better one. If this works for you, please either contact me using the contact link, or post a comment, so others can learn what is really happening here.

There have also been sporadic reports of video driver problems as well as other issues, like the VPN issues. Most of those have to do with some form of third-party software that does not work with SP3. If you have a problem that is not covered here, it would be good if you could let us know. It may be related to SP3, in which case others may have it too. The VPN issue mentioned by one of the posters has me very interested, for example.

Using the Recovery Console in XP

If you cannot boot into safe mode you can try using the Recovery Console in Windows XP. This requires you to have a Windows XP CD. Knowledge Base Article 307654 has directions on how to use it. You do not need to follow the instructions for how to install it. In fact, if you have a problem like the 0x00000024 issue above, you probably can not boot from an installed recovery console anyway.

In brief, to boot from the recovery console in XP, do this:

Insert your Windows XP CD
Boot the computer
Select to boot from the CD. On many computers you have to hit a button to do that. On Dell computers the button is usually F12. On HP it is usually ESC.
The computer will work for a while and eventually you get a screen that says "Welcome to Setup". Hit the R key here
If will ask you which installation you want to boot. If you have several XP installations on this computer, select the one you want. Of course, if you have several installations, and one still works, you would not need these steps.
Type the administrator password for the installation you need to repair.

At this point, you should be at a command prompt. The commands you can run are very limited and they are often different from what you are used to. If you have disabled the intelppm driver on an Intel-based computer and need to re-enable it, run "enable intelppm SERVICE_SYSTEM_START".

If you need to run chkdsk you can do it from the recovery console window as well. The C: drive is the boot volume in your Windows XP installation. To run the full check run "chkdsk c: /p /r"

Build a WinPE Disk on a Flash Drive

Another option, recommended for advanced users, is to have a Windows PE disk handy. Windows PE is a miniature version of Window that can boot from a CD, and starting with Windows Vista, a USB Flash Drive. I wrote up directions on how to build a Flash Drive with Windows PE in the Vista book, and there are now also directions on TechNet. You need to have access to a computer that boots, and you need a copy of the Automated Installation Kit (WAIK). Once you burn the AIK image to a disk you can install it and start building your Win PE disk.

Using a Windows PE disk you get access to all the normal tools, like regedit. It has far more features than what you have with the recovery console, but requires a lot more prep work to get started.

Removing SP3

A few people decided the problems were sufficient to just remove SP3 altogether. If you have a problem that is not covered above, that may be your best option for the moment. Microsoft just published an article on how to remove the service pack. It includes information on how to remove it even from the Recovery Console, so even if your computer will not boot you should be able to do it.

Phishing for a Tax Refund

2008-05-05T04:30:00Z

What's wrong with this picture?

If you answered "why would the IRS use a web server in Korea to ask for information about my tax refund" you are a winner!

This is a phishing site preying on people who do not know that all you need to do to get your tax rebate is to file a tax return this year. Apparently, this is the hot new phishing scam, and the IRS has instructions for how to handle it.

The e-mail came in at 21:07 PDT today. By 21:30 PDT it was not recognized as a phishing site by either Internet Explorer or Firefox. By 21:35 Firefox had it marked. Impressive. By 21:40 IE did not have it marked, which I found interesting.

Warning! Don't run Anti-Malware Software on Your Research Machine

2008-05-01T19:20:00Z

I do not run any anti-malware software on my primary workstation. It's a habit I got into way back when I was doing penetration assessments. I showed up at the site, fired up ye olde laptop, and went to run some tool. ...went to run some tool. Hey, where did that tool go? It was there when I left home?!? Turns out the anti-malware software that the company shoved down on my laptop had removed the tools I needed to do my job because they were deemed to be malware. Today I had another reminder of why this is probably a good policy for me.

On a whim I decided to run the latest beta of the OneCare Live Safety Scanner on my primary laptop. I was very surprised when the scanner actually found some malware on my computer. This was the first time any anti-malware had found any malware on any of my computers since some free anti-virus for the Macintosh found a virus on a floppy disk I put in my Mac II Se, in 1991. After a 17-year hiatus, I finally managed to contract some malware!

After the scan was finished I had my explanation:

The infection was in my dev projects directory, in a directory call moztests. That's where I put the files I wrote when I was working on what Mozilla eventually patched as MFSA2007-27. OneCare just cleaned my research off my computer!

Do not misunderstand me. I am not saying that you should not use anti-malware software. I am not even saying that you should do as I say, not as I do, as many security "experts" tend to say. All I am saying is that you need to consider the consequences of all software you install. While it is true that I do not see much malware on any of the computers I manage, that is not a reason to not run anti-malware on them. You need to consider the risks of not doing so. I would never leave our kitchen computer, the closest thing to a kiosk that we have in my house, without anti-malware. Likewise, I find it wise to run it on the kids' computer. My laptop, on the other hand, is used for all kinds of work where the anti-malware would get in the way, so I refrain from it, accepting the risk that I may, inadvertently, one day click on something I shouldn't. To at least minimize that risk I run as a standard user in Windows Vista.

Furthermore, there is one additional thing you should consider. If we took the advice of some authorities and stopped running anti-malware software, would the status quo - the state where we really do not find much active malware - remain? Of course not. Right now the malware purveyors are mutating their software at extremely rapid rates, producing, literally, millions of new malware every year. At an event last week I heard a figure that we are on track to see 5 million unique pieces of malware again this year. Yet, most people I talk to say their anti-malware solution never finds any of it on their computers. More than likely that is due in large part to the fact that the vast majority are mutations of earlier versions; created to stay ahead of the anti-malware software. If we remove anti-malware software from the eco-system we would make it that much easier for the bad guys to control us. They could stop the mutation arms race and focus instead on getting fewer versions deployed to more computers, and we would have no hope of catching any of it. Therefore, the advice to not run anti-malware is unsound at best. It has simply become a cost of using a computer these days; a cost of keeping the eco-system as sound as is possible with a technology-only solution.

However, you may want to think twice about anti-malware on a computer you use for vulnerability research.

Quantum Security

2008-04-23T01:37:00Z

The May 2008 issue of TechNet Magazine is out. It has an article in it that I have been wanting to write for a long time, called Quantum Security. In it I posit the argument that there are some fundamental laws of security, similar to the laws of physics, which we must not ignore in our risk management practices. I also got to include a revised version of the age-old Annualized Loss Expectancy (ALE) equation. Anyone who has taken the CISSP exam should be familiar with ALE. I believe the equation in common use is outdated and fails to account for the modifications we make to systems when we apply security to them. To properly address risk we need an updated version of the ALE. The article includes the rationale.

The article is available online, but I think the print version looks a lot nicer. Let me know what you think about it.

How to remove the security warning, or should you?

2008-04-21T18:10:00Z

This morning there was an interesting question in the Windows Vista Security Newsgroup. The poster had written an application that users were downloading. However, when they ran the application they received a warning dialog, like this one:

The poster wanted to remove this warning dialog to avoid confusing users.

This dialog is created because Internet Explorer, and some other applications, add a bit to the file to mark it as being downloaded from the Internet. It serves as a warning that this may be untrusted content. If the file is digitally signed, the warning does not have the red shield, and the publisher is listed in the dialog, but otherwise it stays the same. The poster asked if getting a digital certificate and signing the executable would get rid of the warning. It will not. This warning is there to warn the user. I think it is an important safety mechanism, and that, rather than trying to remove the warning, which is possible, we should help the user understand it. Therefore, here is my response:

You should definitely digitally sign the application no matter what. However, that will not remove the warning. It just will have your (or your company's) name in the dialog and won't say "Unknown Publisher."

Technically, there is a way to get rid of this warning, but it is there as a warning to end users. If you remove it here, you would also remove it for all other executables. That would put your users at significant risk. If you programmatically remove that warning, you would be responsible for putting them at significant risk; a responsibility that I am pretty sure you do not want to accept.

Rather, I would suggest that you take the opportunity to educate your users. Teach them that the warning is there so that they can assess whether they want to accept the risk involved in opening applications off the Internet. In this case, you have digitally signed the application so they can trace it to you and have assurance that they are, in fact, opening a trusted application. Anytime they get a dialog like this they should evaluate it and see if they really want to accept that risk or not. If the publisher is unknown, they have no way to tell who wrote the application, and should consider it a higher risk.

Update, April 22, 2008:

Based on the comments, is quite obvious that I was not clear enough in the post.Yes, IE adds a flag to downloaded file through alternate data streams, and there are tools that can show you those streams, and even the built-in unzip tool in Windows adds the same flag if the archive that was unzipped has the flag set. The point, however, was not how a very technically savvy user can download an advanced tool and manually review the alternate data streams, and possibly remove them. If all you want to do is remove that flag it would be far simpler, in fact, to uncheck the box in the dialog for "Always ask before opening this file"; although maybe inspecting and twiddling with alternate data streams would be more satisfying for some segment of computer users.

The point I was trying to make was that a lot of people in the tech community focus on hiding warnings from the user so that the user is not bothered, ostensibly with data they are not competent to parse. That is wrong. There are very good reasons for these warnings in many cases. Rather than trying to prevent users from seeing them we all need to do our part to help users understand what they are seeing and make appropriate decisions based on that data. That would provide a savvier user base and a more secure eco-system in the long run. We cannot keep focusing on preventing people from making risk management decisions any longer. If we do, eventually, they will realize they do not have the skills to do so, and that nobody is willing to help them aquire those skills. At that point, the eco-system will be in danger of collapse.

Today's forecast for O'Hare: Lots of Vulnerable Computers

2008-04-20T04:38:00Z

Olliver Sommer, a German Small Business Server MVP, flew home from the Microsoft MVP Summit via O'Hare Airport in Chicago. While there, he spotted this wonderful piece of advice for how to configure your computer to use the airport wireless network.

The document is meant well, but lacks a bit in the execution. It recommends that you disable exceptions in Windows Firewall because doing so stops attacks through Windows Messenger while on the wireless network. Of course, you would only get attacked through Messenger if you actually accept unsolicited requests from people.

The document then goes on to show how to disable the exceptions. It even has a screenshot; which would work far better if the screenshot showed the exceptions disabled. Instead, the screenshot shows the firewall turned off entirely. One has to wonder how many people followed the advice in the picture as opposed to the text.

Then comes the piece de resistance. The document recommends you disable Simple File Sharing. Not only does this presume that you are using Windows XP Pro, as Windows XP Home does not permit you to turn off Simple File Sharing. Simple File Sharing, as it turns out, is partially a user interface feature that governs which sharing user interface you see. However, there is an internal feature as well. in fact, Simple File Sharing is essentially the Force Guest feature. If Force Guest is turned on all users connecting from the network connect as Guest. In other words, by disabling Force Guest, you would enable remote users to connect using as an authenticated user, potentially even an administrator. Force Guest ensures that the only thing a remote user can do is read, and write if you have permitted that, the files you have made available to network users. Turn off Force Guest and a user that guesses the password of your administrative account can take over your computer.

In other words, the guidance that O'Hare Airport is publishing has you disable the firewall and enable traditional file sharing so anyone can start guessing passwords against your computer. One wonders if this is perchance some new Transportation Security Administration (TSA) inspection scheme to investigate what is on your laptop?

Apparently I am an Australian MVP

2008-04-17T22:48:00Z

The Australian MVPs at the Microsoft MVP Summit this week were overshadowed in national pride only by the Canadians, by a lot. So, the Australian's coopted a Brit and, well, me, so their attendance numbers would look better. The result is on Flickr.

So guys, does that mean you're going to have me come back down under anytime soon, like, say, during diving season?

What I Learned from Attending the Windows Launch Event Today

2008-04-02T02:55:00Z

Today I attended the Microsoft 2008 server wave launch event in Seattle. In the process I learned a number of things:

The launch event apparently does not need to coincide with actually launching anything. Server 2008 launched a couple of months ago. Visual Studio 2008 launched in November 2007, and SQL Server 2008, the third part of the tri-fecta that comprised the launch, will not actually launch until the third quarter this year.
The primary purpose of launch events is apparently to get free junk, and in some cases, other stuff, from a collection of vendors you have never heard of and don't care about. I hung out in the "Ask the Experts" booth for a while, with fellow MVP Alun Jones. I think we answered more questions about "so, what free stuff do you give away" or "would you like to scan my badge for your drawing" than we did on any other topic. We did not actually have any drawing, nor any free stuff to give away other than actual knowledge, or at least, opinions. We answered precious few security questions.
Explaining to people that you are a security "expert" apparently does not stop them from asking you questions about SharePoint.
What the one sausage said to the other sausage in the frying pan (yeah, it was bad, and it is not really worth the bits to relay it)
Windows Firewall with Advanced Security stops malware from spreading on your network. Yes, that's right. I went to the security presentation and, apparently, in conjunction with System Center, Windows Firewall will somehow cause malware to ask for permission before sending your credit card to Russia and your bank account to China. Had I not known already that no host-based firewall can stop malware running on a computer from sending anything to anyone I might actually have been convinced by this claim. As it were, I was just kind of appalled that Microsoft now officially makes the same ludicrous and impossible claims that the security vendors do.
Network Access Protection (NAP) provides "Secure Access Control" to your network. Apparently it does this by giving your computer a bogus IP address. This means that the domain admin that logs on to a workstation cannot disable the built-in firewall. Yes, that is correct, during the demo, the presenter actually logged on to a Vista client using a domain admin account (bad), and then claimed that NAP can stop the locally logged on user from doing whatever that user possibly pleases to do (untrue).

At that point, I decided I had had enough marketing shill for one day. The event was interesting, and I think most of the attendees got some value out of it in that they learned a little about some new features. however, the NAP issue deserves some additional commentary.

In case you did not know, NAP is a policy compliance feature in Windows Server 2008. It will ask well-meaning clients to provide their state of health before they get to communicate on the network. It can use three different "enforcement" mechanisms. One is DHCP based. The client simply does not get a proper lease. One is IPsec based - the client does not get the proper material to negotiate IPsec security associations. And the third is 802.1x-based - the switch won't open the port to the correct network until the client is considered good.

As you can probably tell, the DHCP based "enforcement" is extremely weak. The user on the client, or some piece of malware, can simply configure a valid IP address and go to town on the network. 802.1x can be easily defeated by installing a hub in front of the switch, letting a legitimate client open the switch port, and then stealing the port by setting your MAC address on a rogue host on the same hub to the same address as the legitimate client. The IPsec enforcement is considerably more difficult to circumvent, but you can still do it by making the NAP client lie.

The short story then, is that NAP still relies on the client to tell the Network Policy Server (NPS) what its state is. If the client lies, the NPS server has no way to know the difference, and will trust it. I actually helped design NAP, years ago, and this was a weakness we were very aware of then, but saw no way around. Yet, NAP is still valuable. It is a great technology to ensure that compliant clients stay compliant; that non-malilcious clients have all the necessary policies deployed, the right patches installed, the correct anti-malware software running and updated, and so on. Every network security administrator should definitely spend some time with NAP and consider whether it could provide another valuable tool in their arsenal.

However, NAP does NOT provide "Secure Access Control" to the network. It does not do so because it cannot provide true security. It cannot prevent malicious clients from getting on the network. Unless it is used with IPsec enforcement, in conjunction with Server and/or Domain Isolation, it also cannot prevent a malicious client from communicating with any other computer on the network. None of that makes it useless, nor does it mean that it is not a security technology. Policy enforcement, even when only on clients that choose to comply, is still a security concern, and a valid objective. Keeping managed clients managed is important. However, it is also really important that we understand the limitations of the technologies we are using, which is why I wrote this post.

Troubleshooting Permission Errors While Updating Software

2008-04-01T02:30:00Z

Change log:

Updated on April 8, 2008, with information on Norton Internet Security and Windows Installer 3.1.

A number of people are reporting errors when running software update tools. The tools include Windows Update, Windows Defender Updates, Installshield, Adobe Updater, and probably others as well. The errors include 80070005 (from Windows tools) and c0000005 (from others). To see if we can help people get their software updates, Steve Wechsler helped me put together some troubleshooting steps. If these steps help, and more so if they don't, we'd like to hear about it. If you find something else that helps, let us know by posting a comment.

All these errors indicate a permissions issue of some kind. All of them basically mean "Access Denied". However, determining exactly what the cause is can be difficult. There seem to be two main reasons why this is happening: multiple firewalls on the same computer, and a permissions issue, usually in the registry.

Multiple Firewalls
Several people with this problem report that it disappeared when the shut down one of the several firewalls they had on their computer. If you have installed a security suite, such as Norton Internet Security, on a Windows Vista computer, you have multiple firewalls. That, in and of itself, is not a problem as long as only one of them is running. However, if two, or more, are running at the same time, you will run into trouble. Some third-party firewalls appear to fail to properly disable the built-in Windows Firewall. If you have a third-party security suite installed, take the following steps to ensure the Windows Firewall with Advanced Security is turned off:

Click the Window button (the start menu)

In the search dialog, type "Windows Firewall"

In a few seconds you will have a couple of results, including one that says "Windows Firewall". Click that one

If the right-hand window says "Windows Firewall is on" click "Change settings"

Accept the User Account Control prompt by clicking "Continue"

Select the "Off (not recommended)" radio button and click OK. WARNING: do not do this unless you are sure you have a third-party firewall!

Attempt to run the updater that failed again.

If this resolves the problem you can resolve it permanently by either leaving Windows Firewall off, or by disabling the third-party firewall. For the most part, they perform the same function, although the built-in firewall typically is far less intrusive and more stable. To disable the third-party firewall refer to the manufacturer's documentation.

Permissions Problems

If you do not have two firewalls the problem is almost certainly permissions related. If this is your case you need to resort to advanced troubleshooting tools.

Follow these steps carefully. They are written for Windows Vista, but the problem has also affected Windows XP. With only minor modifications (such as the ommission of the UAC elevation-related steps) they work on Windows XP as well.

Keep in mind that setting incorrect permissions can significantly harm your computer, to the point where it is either completely insecure, will not boot, or both. There are multiple recommendations out on the Internet that recommend that you change the permissions on large parts of the registry and the operating system. Doing so will render your computer unsupported and disable significant parts of the security sub-system. Surgical precision is key when modifying permissions.

First, download Microsoft/System Internals Process Monitor from http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx. Save it somewhere you can remember, such as your Downloads directory or the desktop.
Open the Downloads directory in Windows Explorer (the easiest way is to hold down the Window key and hit E, click your name, and click Downloads)
Right-click ProcessMonitor and select "Extract all..." Walk through the wizard to extract the files
In the window that opens when the extraction is complete, double-click "procmon" or "procmon.exe"
In the "Open File - Security Warning" prompt, uncheck the box that says "Always ask before opening this file" and click Run
Accept the User Account Control prompt by selecting Continue
Accept the license agreement (no, the next time you run the tool you will only have the User Account Control prompt, not all three)
Maximize the window
Hold the CTRL key and hit L
In the drop-down that says "Architecture" select "Result"
In the text box next to "Is" type "ACCESS DENIED" (without the quotes). Here is what it should look like:
Hit the Add button
Hit OK
Hold CTRL and hit X to clear the output window

You now have Process Monitor monitoring all operations on the computer. At this point, retry the updater that fails. If the updater fails with a permissions problem, you should get entries in the Process Monitor window. Each one indicates a potential problem that could harm your ability to install updates, although they may also be unrelated.

Here is an example of the types of ACCESS DENIED errors you may see. Note that your process name would not be regedit.exe.

To fix the problem you need to set permissions. If you are not comfortable with exactly how to do that, I can help you if you send me the keys that are causing the error. You can do that most easily by clicking CTRL+A in Process Monitor, and then clicking CTRL+C to copy it. Then click the "Comments" link on the right side of the blog to send me a message, and paste the output into it.

To fix the problem yourself you can also change the permissions on the registry key (typically) or file that is a problem. I have not yet seen this happen because of file permissions, but if it does, it would be interesting to know. To fix registry permissions problems, do this:

Right click the event and select “Jump to...”
Right-click the key that is listed and select “Permissions...”
Click Advanced
Make sure that permissions are at least Full Control for TrustedInstaller, and Read for Administrators and SYSTEM. If that is what you have, and you are using a non-Windows installer (such as Adobe Updater), close the Advanced window, select the Administrators entry, and click the Full Control checkbox
Click OK to close the dialogs.
Retry the update

This will work under the assumption that the proper permissions were overridden on that particular key. In general, permissions on these keys should be Read for everyone except Trusted Installer, as follows:

You may, however, see Administrators have Full Control, or SYSTEM having Full Control. Those are both typically acceptable.

If this helps you, and you do not mind, could you please post a comment with the key that was a problem? It would be very interesting if we could figure out if this is caused by some particular piece of software that modifies some particular value.

Problems Installing Windows Installer 3.1

After I wrote the original post I was contacted by a gentleman who was getting access violation errors when trying to install Windows Installer 3.1. He had Norton Internet Security (NIS) 2007 installed, and had upgraded the computer from Windows XP Home to Windows XP Pro.

After some basic troubleshooting I suggested he remove NIS to see if that resolved the issue. Unfortunately, it would not uninstall because it required Windows Installer to uninstall.

As it turns out, Symantec has an article on how to resolve this. It basically involves deleting the old Windows Installer manually.

On Windows XP, start by downloading the Windows Installer 3.1 files. Then, open a command prompt running as an administrator and rename/delete these files:

msi.dll
msihnd.dll
msiexec.exe

After that, restart, and install the Windows Installer 3.1 file you downloaded. I have a concern with this approach, however. The DLLs are in use, by at least two processes. Thus, while you can rename them, they will actually remain in place, as shown by this command line output:

C:\WINDOWS\system32>ren msi.dll msi.dll.old

C:\WINDOWS\system32>ren msihnd.dll msihnd.dll.old

C:\WINDOWS\system32>ren msiexec.exe msiexec.exe.old

C:\WINDOWS\system32>dir msi.dll
Volume in drive C has no label.
Volume Serial Number is 6050-9DD5

Directory of C:\WINDOWS\system32

08/04/2004 12:56 AM         2,804,224 msi.dll
               1 File(s)      2,804,224 bytes
               0 Dir(s) 14,033,321,984 bytes free

The file gets put back where it belongs even after you do this and reboot. On some systems, those files are under System File Protection:

C:\WINDOWS>dir /s /b msi.dll
C:\WINDOWS\ServicePackFiles\i386\msi.dll
C:\WINDOWS\system32\msi.dll
C:\WINDOWS\system32\dllcache\msi.dll

In other words, I do not buy the solution Symantec is listing as a viable solution on all computers. On at least some computers those files will be under System File Protection. Once you try to delete them, the OS will enter them into System File Protection, making it very difficult to get rid of them. Thus, your mileage with Symantec's solution will vary. Personally, I would instead suggest you try the Windows Vista solution, regardless of which OS you are on.

From an elevated command prompt, run:

msiexec /unregister

Followed by:

msiexec /regserver

Now try to update the Windows Installer (if you are on XP. If you are on Vista, you already have the latest version). Then try to remove Norton Internet Security, and see if your problems go away. If they do, you can, optionally, reinstall Norton Internet Security.

Public Education in Washington State

2008-03-28T19:20:00Z

This is a bit off topic for me, but it is an important thing to get out there nevertheless. I love living in Washington State. It may be snowing as I write this, but in general, I really like this state, the lifestyle, the people, and our wonderful natural environment. I've lived on both coasts of the US, twice, and in the middle, and in Europe, twice, and I like this place best of all.

There is, however, a significant downside to this state, one which has gotten worse in recent years: public education. Washington State, home to many companies needing highly educated talent, like Microsoft, Amazon.com, Boeing, Real Networks, F5 Technologies, Safeco Insurance, Washington Mutual, etc, has a public education crisis. Spending per student in this state ranks 42nd in the nation, just below Alabama! (Note, some studies have it ranking from 32nd to 46th, depending on the year and the methodology used).

The upshot of this is that our schools are in a crisis. At this very moment, the school board in the district where I live are just waiting for May 13, when they can finally acknowledge their decision to close one of the elementary schools in our town. This will result in shuffling 800 students around, away from their friends. My kids will be bused past two schools, including the one about three quarters of a mile from our house where they currently go, to a school over four miles away. And I moved here because of the school and because I did not want my kids to have to go through any more changes of school than absolutely necessary. In addition, this action will result in moving the Spanish dual language program away from the school where there are actually students that need it, to a school over a mile away from any public transportation. This may not be intuitively obvious, but many of the parents of the children who need dual language education have no cars at all, or one at best, and really rely on public transportation. All in all, they are shuffling 800 children away from their neighborhood schools and dispersing them throughout a 75 square mile area, away from their neighborhoods, their friends, and the teachers they have learned to love and trust. All of this because of the combined double-whammy of the states complete failure in its responsibility to its children and all the various unfunded mandates that the federal government has imposed upon local schools.

The second-most ironic part of all? The affected area is serviced by state senators Eric Oemig, a member of the "Early Learning and K-12 Education Committee" and Rosemary McAuliffe, the chair of that same committee. If the two senators have failed/neglected to fix school funding problems in their own districts, then something is really rotten in Washington State. Well, maybe the irony there is matched by the fact that Governor Gregoire's second highest priority is education. Note the complete lack (save for the creation of a committee to study the problem) of any action on her part to improve general education funding in the past 18 months. I guess we should be happy that she at least invited "Happy Feet Fans" to trick or treat in the governor's mansion - clearly a worthy achievement in education.

So, what is the most ironic part? It is this paragraph, taken from the Washington State Constitution:
“It is the paramount duty of the state to make ample provision for the education of all children residing within its borders, without distinction or preference on account of race, color, caste or sex.”
Washington Constitution, article IX, section I

As the 2007 Citizen's Guide to Washington State K-12 Finance correctly points out: "This constitutional provision is unique to Washington. While other states have constitutional provisions related to education, no other state makes K-12 education the “paramount duty” of the state."

I'm starting to wonder whether the word "ample" has a special meaning to politicians?

In light of all this, I found this letter, which Nancy Hill, another parent in the district, just sent to USA Today, quite poignant. If you are considering a job offer from one of the companies I mentioned earlier, you may want to bargain for a supplement to cover private school tuition:

Washington State's Dirty Little Secret: Public Schools

Considering a move to Washington State? The state certainly looks appealing. While Washington State is bucking national trends in regard to job creation and home values, we have one dirty little secret that many people want to keep buried. If you are planning a move to the Seattle area, you will find that high paying job, your home probably will retain its value, but you better budget in about $25,000 per child for private education.

Consider this... Mr. Gates found it easier to ask Congress to grant more international work visas than improve public education in his own state. All of those employees roaming the corridors of Microsoft... good thing most of them received an education elsewhere and they should not expect Mr. Gates to hire their Washington State educated children.

Simply stated, Washington State school districts are too large and our state funding is antiquated.

Washington State ranks 46th in the nation in terms of class size. Another fun Washington State education fact: Per-pupil expenditures as a percentage of per capita income was only 21.8%, ranking the state 45th nationally. Washington has the12th highest personal income per capita in the nation.
(Source:http://www.technology-alliance.com/pubspols/studies/benchmarking06.html.)

Your child's "Chance for Success" ranking in the state of Washington is 22nd. (SOURCE: Quality Counts 2007:From Cradle to Career Tennessee 40.0 -2 30.0 -2 42.5 -2 68.3 +2 -14 45Editorial Projects in Education Research Center,2007.)

So yes, Washington State can offer you a great job, a home that will retain its value, great air quality and recreation. But please don't expect your child to receive a great public education in Washington State. It seems that our state government really doesn't care.

Help us Neelie! Please, help us!

2008-03-21T22:28:00Z

Apple clearly has a de-facto monopoly in the portable music player market, with upward of 70% of that market. It is busily working on monopolies in the music software and downloads markets and is behaving monopolistically in the PC market as well. Some of those market shares have certainly been helped by bundling iTunes with the completely unrelated QuickTime, which has huge installed base.

Continuing on the strategy that bundling helps expand market share, Apple has now started "leveraging" (a synonym for "abuse") those monopolies to force people to use its web browser, Safari. Safari, of course, has a miniscule market share; less than 6% according to BetaNews. Starting very recently, if you installed QuickTime (with no additional options) you will be presented with this dialog:

This astonishing abuse of power threatens to destabilize the software market world-wide, thwart choice, and hamper innovation. What would happen if Apple is actually successful in giving away lots of copies of its free browser? That would bite into other browsers' market shares and ensure that the organizations that wrote them do not get to give away a lot of copies of their free browsers. Eventually we will be in an Apple hegemony! We will all be looking at small fonts, shaded colors, and thin stuff. We will all look svelte and cool, wear turtlenecks and jeans, and nobody would grow older than 26! Oh No! There would be no more geeks! Worse still, everyone will be subject to all the vulnerabilities in Safari. Terrorists can use this hegemony to take down the Internet, endangering civilization as we know it.

Clearly it must be illegal to abuse a monopoly in this way to push unrelated software onto an unsuspecting public. If only there were a government agency who took it upon itself to protect the public from miscreants such as Steve Jobs. Without protection from some kind of commission we will be crushed under the foot of his anti-competitive and hostile practices! If only there were someone who has stood up for individual choice and free competition among American firms in the past...

Maybe if we found our savior she could force Apple to make a version of QuickTime without sound? That would certainly promote competition.

Regulatory Silliness

2008-03-10T17:30:00Z

Susan just pointed me to a "Self-assessment questionnaire" for the Payment Card Industry Data Security Standard (PCI/DSS). While, on the whole, the intent of that standard is good, there are some areas of it that, as usual, stray into the realm of regulatory silliness.

For example, on page 6, under the requirement to "Do not use vendor-supplied defaults for system passwords and other security parameters" we find 2.1.1.a "Are SSID broadcasts disabled?" The PCI/DSS Security Standard version 1.1 actually requires disabling broadcast of the SSID in requirement 2.1. As Wikipedia says "SSID is broadcast in the open in response to a client SSID query..." When a client asks for the access point, the SSID is always broadcast. Thus, to find the SSID of any network, all you have to do is listen when a client associates to the network. The Wi-Fi Alliance actually points this out in its Enterprise Solutions for Wireless LAN Security document. That document also recommends broadcasting the SSID as a security best practice to ensure that users have the information they need to select the right network.

The really bad part about the advice to hide the SSID, however, is hinted at in the WPA Deployment Guidelines for Public Access Wi-Fi Networks, from the Wi-Fi Alliance: "A radio signal with a familiar SSID does not ensure that the user will be connected to equipment operated by a service provider that the subscriber trusts." The same document also points out that the client will connect to the closest AP for purposes of data transport. To see how that would work, assume that a network has a hidden SSID, and the client has been pre-provisioned to connect to that SSID. In this case the client may actually end up connecting to a fake network if the fake network is perceived to be closer. The client will connect to the one with the stronger signal, and will not be able to tell that one of them is rogue. If the remaining security parameters differ between the real network and the rogue one the client will not automatically connect; the user will have to accept the connection. However, the user has no simple way to tell rogue from fake either. If the networks broadcast their SSIDs the conflict would be much more easily detectable. Some clients may even automatically downgrade the security and connect to the fake, but visible, network, without user interaction. This would not work if the real network were broadcasting its security parameters. The client would detect that there were two networks with the same SSID and different parameters.

Curiously, the PCI/DSS Security Standard version 1.1 does not require use of WPA2 or even WPA for security on wireless networks. It only recommends that they be used "when WPA-capable." In other words, it permits use of the completely discredited "Wired Equivalent Privacy" (WEP) protocol, which provides no security at all, and requires use of security theater measures that actually reduce the security of your wireless network. One is left to wonder when the next TJX disaster will happen.

1722 Error from InstallShield

2008-03-10T16:47:00Z

Last week I found a post in the Vista newsgroups from a lady who was having problems installing Kaspersky Anti-Virus. She was getting an error 1722 upon installation on one computer out of three and the installation failed. She had called both Kaspersky and here computer manufacturer (HP) and neither could help. HP told her to get a new anti-virus package, and Kaspersky had no help to give.

Searching a little I found a solution on a site called MyDigitalLife.com, but it was a bit complicated getting at it, and it came in the form of some registry files with no real information on what the problem is. Therefore, I thought I would explain the problem here and give a solution that worked at least for this lady.

1722 is an error from Install Shield, a third-party installation technology. It means that some custom action failed during installation. Usually custom actions are used to run external software, such as regsvr32.exe to register something.

The thread on MyDigitalLife indicates that this has to do with a corrupted registry entry. It basically shows that, for some reason, the path in the registry to where the device driver information files are located has been corrupted. Thus, your first step in trouble-shooting should be to validate that path:

Elevate a command prompt by right-clicking the Command Prompt in Start:All Programs:Accessories and selecting Run as administrator...
From the command prompt, run regedit.exe
If you have a 32-bit system, navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion.
If you have a 64-bit system, navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion
Set the "DevicePath" value to "%SystemRoot%\Inf" (without the quotes).

If this does not help there could be other things wrong, but at least this seems to have helped several people.

Measuring Identity Theft

2008-02-29T23:20:00Z

Chris Hoofnagle, of the Berkeley Center for Law And Technology just published a fascinating report entitled "Measuring Identity Theft at Top Banks." If you have not already, and you are at all interested in security and privacy, you owe it to yourself to read the report. It analyzes identity theft reported to the Federal Trade Commission to start developing an understanding about which institutions have more of it.

Chris is very clear that this is a first version of the report and that it needs to be extended and expanded, and even lists a number of weaknesses of the current methodology in the report. However, it strikes me that one of the unfortunate side-effects of this type of analysis is that people may read it as an indictment of some of the victims of identity theft: the organizations who are targeted. Granted, many organizations are clearly not doing enough to help their customers avoid identity theft. Some, such as TJX and the U.K. Government, have shown a completely reckless disregard for their customers privacy, apparently without any significant consequences. Yet, many organizations are doing interesting things to combat the problem. Without truly understanding what it was that caused Bank of America to show up as the institution with the largest incidence of identity theft I do not think we should rush to indict them as an unsafe institution to do business with.

To that end, and in the hope that both Chris Hoofnagle, and others who extend his work, do so in ways that assist our understanding of this serious crime, I composed a commentary about the report. I already sent it to Chris, but thought it might be interesting reading to others as well. Chris responded to my commentary, and his responses, where relevant, are also included below.

1. The source of the information used by the criminals may be entirely unrelated to the institution the consumer reported as being involved in the crime. For example, if you look only at the phishing subset of identity fraud, as much as 75% of it is targeted at eBay (http://www.sophos.com/pressoffice/news/articles/2006/07/top-phishing-targets.html). However, eBay shows up relatively low in the report. This could be for a number of reasons:

a. The institution where the information came from may not be the institution where it was used. This may, in fact, explain the occurrence of identity fraud at telecom companies. It is not too difficult to open a new wireless account and using the information gleaned from account takeover at eBay probably gives you enough information to do so. I have seen proprietary, largely anecdotal, evidence that many account compromises are not actually used on the site where the account was stolen, but somewhere else that provides more value.

b. The FTC does not get involved in crimes involving eBay to the same extent that they do in crimes involving financial institutions. Much of the crime is about monetizing information these days, and doing so is far easier on Bank of America than on Pay Pal, far easier on Pay Pal than on eBay, and far easier on eBay than on other online properties.

c. The crimes are almost exclusively targeted at the end-user. End users of certain institutions are probably far more likely to be victimized by less than perfect attacks on their identity because of the type of customer the institution targets. For example, Capital One targets primarily the low-income, less educated, and less credit worthy credit card customer. It stands to reason that they would be more likely to fall for fraud than an HSBC customer, who is likely more sophisticated. HSBC, at least in the U.S. also would have far fewer customers than Capital One, skewing the results. In short, without taking into account predisposing factors such as the education level of the customers, the number of customers, and so on, the result seems more flawed than the study acknowledges.

Chris responds that "...banks are underinvesting and downplaying their true losses from identity theft. Blame is a difficult issue here--yes, the impostor is to blame, but there are situations in law where one becomes responsible for the criminal actions of third parties. Landlords, for instance, can be liable to tenants for certain criminal actions of third parties. It's in this spirit that banks share some blame in these crimes." I would add that, yes, many banks are, and they are proving far more interested in complying with voluntary regulations such as the FFIEC guidelines than they are in truly helping their customers protect themselves. That much is obvious from the implementation of completely ineffective authentication systems, such as measurement of typing cadence. However, some organizations are doing the right thing, and have recognized that protecting their customers is key to their survival as a business. On the whole though, maybe the banks' rush to comply with even voluntary standards, like FFIEC, is indicative of the power of regulation and should be harnessed?

2. The reports mentions that the data is a step toward giving the consumer information to vote with their feet and choose “safer institutions.” However, what constitutes a safer institution? Certainly, an institution with a lower incident of identity theft by deposits is not necessarily any safer, because that data is skewed in favor of institutions with a few very large accounts. Likewise, an institution with a lower overall count of identity theft is also not necessarily safer. The fact that Third First National Bank of The Side Street off Main in SomeTown, Idaho had no incidents of identity theft could simply be a reflection of the fact that they have less than 6 accounts, not that their strategy to use 4-digit pin codes on their web site was particularly effective. The “safer institutions” are the ones that provide their customers with the information they need to protect themselves, that include information on how to authenticate a web site to the customer, and which take a lead in customer education and fraud combat. Bank of America’s site key system is often cited as a model in that space. Discover Card’s refusal to present customers with even an SSL certificate prior to logon sits at the other end of the spectrum. The present study, unfortunately, seems to indicate that just because an institution has less fraud, in absolute terms, makes it safer.

3. On page 2 the report mentions that institutions should report the number of identity theft events avoided. How exactly could that be measured? Is that not like proving a negative? Certainly, an institution can cite numbers on how many incidents of attempts at opening fraudulent accounts its customer service representatives caught, but that hardly captures the full picture. I can prove I did not get hacked this week, but my “proof” may only prove that my detection mechanisms are flawed.

4. Another explanation for fraud at telecom companies may be stolen devices. Without an understanding of the nature of the fraud it is impossible to say what the source is, and to pass any judgment on the organizations acumen in helping its customers. The data appears to have no indication at all on what the source of the fraud is.

5. Which brings me to my point about suggested further study: why. Why is it that some institutions have a far greater incidence of identity theft than others? At this point, I think we need some hypotheses about the contributing factors, including customer demographics, number of customers, size of the accounts, the ease with which account takeover can be monetized, the protective measures in place at the institutions, the type of advice given to customers, and so on. This requires far more data gathering, and some multivariate analysis of the impact of each variable on the number of accounts stolen.

6. Are the months covered by the report (by necessity obviously) actually representative of the year 2006? Certainly, the data is very interesting, and this report is the first of its kind. However, future studies, I believe, must look at larger, more representative, data sets. Looking, again, at the subset of fraud presented by phishing attacks, I am not at all convinced that the months in this report are representative. According to the Anti-Phishing Working Group’s report for December 2006 (http://www.antiphishing.org/reports/apwg_report_december_2006.pdf) January and March were some of the calmest months for phishing in 2006, and September had the lowest figure of the latter half of 2006. Of course, much of the fraud reported in September may have been based on data stolen in prior months, but the fact still remains that the activity differs by month. In fact reports for January and March were both about one standard deviation below the annual average. Reports for September, while roughly at the annual average, were almost one and a half standard deviations below the average for the second half of the year. Compared to the average for the second half January and March reports were well over three standard deviations below the average. Thus, I do not think it is reasonable to say that January, March, and September were representative months since it is clear that the number of reports trended significantly upward for the year. Obviously, the current report advances our understanding far more than not having any analysis at all, and a larger analysis would have taken for longer. I would just like to see a more representative sample in the next report.

Chris responded that the months were chosen totally randomly, and that the seasonality of the crime makes that a weakness. However, obtaining an entire year's worth of records takes a year.

7. The report merges data for institutions such as “Citibank Visa and “Citybank” into one canonical representation. Is that actually accurate though? For example, did Citibank National Association use different protective measures than Citibank (South Dakota) National Association? If they did, the merge is not warranted. In fact, if a single institution has different ways to access different types of accounts, then I think each type of account needs to be considered separately.

8. You mentioned that getting data on wireless subscribers is not possible. I disagree. It is possible to get some form of data, although it is obviously not entirely accurate. In a couple of internet searches I managed to find several sources of such data. For example, AT&T reports having 70.1 million subscribers (http://www.att.com/gen/general?pid=7461). T-Mobile USA reported having 25M by the end of 2006 (http://www.unstrung.com/document.asp?doc_id=118633&page_number=1&table_number=2). HTC actually reports numbers for all the major carriers at http://www.htcamerica.net/products/products-carrier.html. They may not be completely accurate, but as a first-order approximation I think they should do nicely.

Chris responds to this that he considers any number untrustworthy unless it is filed in a document with the goverment. It is hard to disagree with that position, but I personally would have been inclined to make do with potentially flawed numbers if accurate data is impossible to come by. I will consider that merely a disagreement merely on scientific philosophy.

9. On page 7 the report, again, makes the claim that “A more complete picture of identity theft will not emerge until institutions provide more transparency on the problem.” While I applaud the effort to get transparency into the problem, this is fraught with problems in several ways. First, the institution, while it is an incidental victim, is not the true victim, and not the true target. The end-user is. The institution may not always know that it was involved, especially not if the account is stolen from one institution but used at another one. Data on the institutions, like you have in the present study, may indicate that it is easier to monetize stolen information in some places than in others, but says nothing about the protective measures those institutions are using to protect the information they themselves own

On the whole, I find the report fascinating, and an important first step in furthering our understanding of identity theft. I thank Chris for doing this. Now we need to keep building on it and develop a real understanding of the causes of identity theft and how effective the mitigators are.

Q&A with Amazon about the Server 2008 Security Resource Kit

2008-02-28T17:08:00Z

Yesterday the editor from the IT section at Amazon.com sent me some questions about the Windows Server 2008 Security Resource Kit. The answers will eventually go on the book detail page.

The questions, particularly questions 3 - 6, were interesting and thought-provoking, so I thought I would post them here as well.

Question 1:
The credentials of the contributors to Windows Server 2008 Security Resource Kit are quite impressive (six of the 12 are Microsoft MVPs, and the others are all either current or former product group employees at Microsoft). How important was it to assemble such a group for this title?

Answer 1:
In my opinion, it was necessary. Server products are necessarily complex, and security, by its very nature, requires a very broad understanding of the product. Developing that understanding in a single person is possible, but very time consuming and still does not lead to the breadth of perspective that you find in a group of people. No single person can truly understand both what it is like to implement Active Directory in a 50,000 seat organization, and how to run a 50-seat small business network long-term, and neither of them is probably going to also be one of the world's foremost experts on implementing public key cryptography infrastructures. By putting together this world-wide team of experts (representing four countries on three continents) we were able to produce a resource that had far more depth and breadth of knowledge than would otherwise have been possible, and you get the expertise of 12 of the foremost experts on Windows Security in a single package.

Question 2:
What extras are available on the Resource Kit CD?

Answer 2:
First, you get a bonus chapter on Rights Management Services, as well as an electronic copy of the entire book. I am very excited about the electronic copy because it provides a searchable way to read the book. These types of books are always used as references and being able to search it is very valuable.

You also get some tools that may come in handy for managing servers. Scripting Guru Ed Wilson wrote some custom PowerShell scripts specifically for this book to manage user accounts and other security related aspects of your deployment. In addition, I wrote a couple of tools for the book. One is my password generator, which I first made available several years ago. It enables you to manage unique administrator account passwords and service account passwords on hundreds or thousands of servers on a network. I also included my elevation tools, which allow you to launch an elevated instance of Windows Explorer, as well as elevating any command you want from the command line. Having worked with User Account Control (UAC) daily for about two years I find that one of the biggest impediments to running under UAC is the multiple prompts you get when you perform many file operations. As an administrator, that is a very common task. Elevating Windows Explorer lets you do those operations with a single elevation prompt, and still leave UAC turned on.

Question 3:
Comparing the two programs, what are some of the fundamental differences between Windows Server 2008 and Windows Server 2003?

Answer 3:
To me, the biggest difference is the fact that while Windows Server 2003 was built under the security best practices of 2002, Windows Server 2008 incorporates all the secure development practices Microsoft learned in the five years since. The field of secure software development has progressed immensely between 2002 and 2007, and incorporating them will make Windows Server 2008 much more able to stand up to the threats we will see in the next five years. By the way, it is with a heavy heart that I say that, as I worked hard on security in Windows Server 2003, but it is true.

Apart from the engineering process, the first thing people will notice is the completely new management model in Windows Server 2008. Instead of installing a lot of separate components, you now deploy roles to the server. This makes a lot of sense because the roles are what you bought the server to fill. By implementing that metaphor in the management tools the risk for misconfiguration is greatly reduced.

The new kernel features are also very important and will make a big difference for many. First, the new virtualization features are fundamentally going to change how we build and run data centers. The improvements in security, reliability, and performance in the kernel features, such as thread scheduling, and in the networking features, such as the new network file system, also are going to be valuable to many.

Question 4:
What do you feel is the biggest security oversight made by network admins?

Answer 4:
Put a slightly different way, the area where I see the most room for improvement is in security posture management. Administrators are far too focused on vulnerabilities and on the types of "hardening" tweaks that were useful in the 1990s, when software shipped wide open by default. Today, those things are not nearly as important as it is to manage the security posture of your servers. Far too many administrators still believe in the perimeter and fail to recognize that just about every organizational network today is semi-hostile, at best. The biggest security oversight is not to analyze and manage the threats posed to servers by other actors on the network. The Security Resource Kit goes into depth in discussing what I refer to as Network Threat Modeling, as the analysis phase of Server and Domain Isolation – probably the most powerful security tool in the arsenal today. Yet, the proportion of networks that use these tools is infinitesimal.

Question 5:
What are your thoughts on the constant hype surrounding potential security flaws in Vista?

Answer 5:
As I have written elsewhere (http://msinfluentials.com/blogs/jesper/archive/2008/01/24/do-vista-users-need-fewer-patches-than-xp-users.aspx) I fail to see any data backing up the argument. Certainly, there have been flaws in Vista – and anyone who expected it to be flawless was unrealistic – but the improvements are tremendous over Windows XP. Windows Vista has about half as many critical problems as Windows XP in the same time-frame. I'm not sure that it would have been reasonable to expect it to perform much better than that given how large and complex modern software is and how fast the security landscape is moving.

Therefore, I have to think that the reasons for the hype are something other than data. The popular press seems to operate on the assumption that complaining about Microsoft generates advertising revenue, and they are probably correct. The fact of the matter today is that a significant portion of the software industry, specifically the security portion, has built its business almost exclusively on selling software that purports to protect Microsoft's customers from Microsoft's screw-ups. It is simply terrifying to it, and a grave threat to its business model, that Microsoft should actually manage to produce software, and particularly operating systems, that are so secure they do not need most of the products that portion of the industry sells.

The popular press, being a largely advertising funded business, has happily latched on to this perception and boosted the unsubstantiated claims of Windows Vista's vulnerability to the benefit of their major advertisers. It is truly a sick eco-system that harms the customer in both the short and long term. The threats today, as I mentioned above, are trending toward the types of things that the security software industry cannot protect against. The new threats are against people, and the focus needs to shift to helping people make better security decisions and take responsibility for their own actions. Unfortunately, the current unsubstantiated hype about Windows Vista is not about protecting customers, it is about selling unnecessary security software and inculcating users and IT managers alike in the belief that they must buy third party software to run Windows safely; a belief that, with a few notable exceptions, such as anti-virus software, is falsified by the data. In fact, the hype has even lead to a huge growth industry in malicious, fake, security software. I have seen a lot of people lured by the hype into buying security software that is not security software at all, but simply malware in disguise. The average consumer, inundated with hype, is unable to make out what to really believe. This sick ecosystem is harmful and the press and the pundits are not helping, but only increasing the hype.

Question 6:
In your opinion, which network faces the biggest security risks today: the small office with multiple power users or large corporation with a large LUA base?

Answer 6:
The unmanaged networks. I have seen very well managed and very secure networks in both small and large organizations, and I have seen poorly managed and very insecure networks in both as well. It is not really a matter of size but of how much time and effort is put into the security aspects of it. One of the largest weaknesses seems to be training. Security today is about end-points. The attacks are against people far more prevalent than those against technology and vulnerabilities. We need to, as an industry, understand how to push the security out to the assets that we are trying to protect. In the past we have centralized security because it was a way to centralize management of security. The challenge now is to de-centralize security, while still permitting centralized management. This is a non-trivial task, but it must be done. As a starting point, I dare every IT manager to start analyzing the risks to his or her network, and specifically, what it is they want the network to be used for. Once you understand what it is you want the network to provide you have a chance to work on making it provide that and nothing else. To me, that is the most important thing we can do. A properly staffed IT group, with adequate training and resources to train its users, an organizational mandate to protect the organization's assets, and a keen understanding of the business they serve will build a network that is adequately secured regardless of the size of the network. Windows Server 2008 certainly provides some very powerful technologies to help you manage security in your network, but while that is a necessary component, it is insufficient by itself. At a very base level, it is about the people and the processes you have, more than about the technology. Technology will help, but it is just a tool that your people will implement using a process that helps or hurts.